Miggo Logo
Miggo Vulnerability Database
CVE-2020-28437

CVE-2020-28437: heroku-env susceptible to command injection

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28437
GHSA ID
GHSA-jp45-65jw-94mj
EPSS Score
0.25756%
CWE
CWE-77
Published
8/3/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
heroku-envnpm<= 0.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly states the injection point is in lib/get.js, which is required by index.js. The PoC shows the root function (exported from lib/get.js) being called with untrusted input containing shell metacharacters. This matches the command injection pattern where unsanitized input flows into system commands. The function's role in parsing environment variables and interfacing with CLI tools like pg_dump/psql makes it a natural location for command construction without proper escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *omm*n* inj**tion vuln*r**ility *****ts *ll v*rsions o* p**k*** **roku-*nv. T** inj**tion point is lo**t** in li*/**t.js w*i** is r*quir** *y in**x.js.

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly st*t*s t** inj**tion point is in `li*/**t.js`, w*i** is r*quir** *y `in**x.js`. T** Po* s*ows t** root `*un*tion` (*xport** *rom `li*/**t.js`) **in* **ll** wit* untrust** input *ont*inin* s**ll m*t****r**t*r